back to article Oracle trowels more plaster over flawed Java browser plugin

Oracle has issued a rare emergency patch to address two vulnerabilities in the Java plugin for web browsers that the company says are being actively exploited. "Due to the severity of these vulnerabilities, and the reported exploitation of CVE-2013-1493 'in the wild,' Oracle strongly recommends that customers apply the updates …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Java7 Update #17 ? i'm too exhausted to upload again

    When wil Oracle get it right?

    1. Euripides Pants

      Re: Java7 Update #17 ? i'm too exhausted to upload again

      Around dinnertime.

      Not sure what year, but it'll be around dinnertime...

  2. M Gale

    And when Oracle manage to sort their certificates out so I know what I'm downloading, I might download it.

    Until then, browser plugin disabled.

    1. Dan 55 Silver badge

      The certificate messages don't even mention Java but they do have some badly drawn icons of the same type as 'A virus has just infected your PC!'

      Which as it's Java is quite possibly true. Would you trust malware not to drive a truck through Oracle's new shiny security settings?

  3. Shannon Jacobs
    Alert

    What is the latest version, Kenneth?

    I sure hope that for 64-bit Windows 7 the current version is 21. How could things get any worse?

  4. Muckminded

    Too bad hackers don't know to stick to Oracle's patch schedule. That's just rude.

  5. EmperorFromage
    Big Brother

    You will be assimilated

    ... by a neverending stream of updates, until you all have started to love the ask.com toolbar.

  6. Nate Amsden

    last java 6 update?

    I think I saw this link posted on slashdot

    http://java.com/en/download/faq/java_6.xml

    "After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. All Java 6 releases up to and including 6u43 will be moved to the Java Archive on the Oracle Technology Network, where they will remain available but not receive updates."

    Would be nice if El Reg could get some confirmation.

    1. Fuzz

      Re: last java 6 update?

      It said that after 6u41 so who knows when the actual last version of 6 will happen.

    2. Anonymous Coward
      Anonymous Coward

      Re: last java 6 update?

      Yeah, they may have INTENDED to not release updates after Feb 2013, but I think the negative feedback they'd get for not fixing the security [insert salty sailor language here] they've had would pretty much kill any hopes they have of converting the Java 6 developer community to Java 7.

  7. NP-Hardass
    Alert

    What options are left?

    I feel like maybe Oracle should publish an ultra minimal subset of java, redesigned from scratch, focusing on solid design, and progressively build up and out until it catches up with the current featureset, while allowing the current, unstable branch to grow feature wise, so the language doesn't TOTALLY die out in the interim.

  8. Ralph B
    WTF?

    An Old Fart Remembers the Good Old Days

    I remember when Java was originally launched (around the time of lots of ActiveX exploits) and much was made of its (Java's) super-duper sandbox security model that would keep us safe forever.

    How did that work out then?

  9. Erik N.
    Facepalm

    The process is tiresome

    1. Install new update after it bugs me incessantly for several days in a row.

    2. Tell it that I do not want the farking Ask.com toolbar for the 17th time.

    3. Re-disable the plugin in my browser, again for the 17th time.

    If I didn't need Eclipse and the Android SDK, this piece of trash would be banned from my systems. :P

    1. gollux
      Mushroom

      Re: The process is tiresome

      Oracle Sievemaster Sisyphus, just keep rolling that stone!

      One day it may stay up there at the top of the hill, somewhere around the heat death of the universe.

  10. Anonymous Coward
    Anonymous Coward

    Java is a mess

    You know when the latest O'Reilly "Nutshell" book for Java is nearly 3" thick that something has gone completely awry.

    1. wikkity

      Re: Java is a mess

      It's that big as they pad it out with API documentation that is available elsewhere.

      > something has gone completely awry.

      Eh, because it has a such a wide ranging API something has gone awry? Personally I would have thought that is one of the reasons it is such a common choice of language.

      1. Anonymous Coward
        Anonymous Coward

        Re: Java is a mess

        It's a bit like the horsemeat scandal: all those APIs that are the reason its a common choice of language represent programmers who are prepared to trust that some complete stranger "upstream" has done their job correctly and their code can simply be called without fuss.

        In fact, just as it turned out that our "from the shelf to the field" food tracking system of trust was bogus, the API chain often (in any language) turns out to be full of holes, patches, and just plain bad programming. Oracle's struggle to fix this is exactly analogous to what happened in the wake of the first revelations about the horsemeat - someone went to fix what they thought was an isolated problem and discovered the rotting systemic mess behind that outbreak.

        I'm not saying this is a specifically Java problem - if anything it's an inherent problem in the culture of Object Oriented Programming: the idea that you can have "shrink-wrapped" components from vendors you can trust (I know the concept also appears in pre-/non-OOP systems too). But at the end of the day, why do you actually think you can trust someone else's code? I can barely trust my own, to be honest.

        That 3" think Nutshell book represents 3" of APIs that someone is asking you to take on trust. Is that a good idea, regardless of how common it is that programmers do in fact accept it?

        1. wikkity

          Re: complete stranger "upstream" has done their job correctly

          > and their code can simply be called without fuss.

          No, that is what testing is for

  11. Anonymous Coward
    Anonymous Coward

    Disable Java

    It has no business being in a browser anyway, or installed on a client.

    It's barely serviceable on a server these days.

    It's time for Java to die.

    1. wikkity

      Re: Disable Java

      > It has no business being in a browser anyway,

      Ideally you are right, users of legacy enterprise apps may disagree.

      > or installed on a client. It's barely serviceable on a server these days.

      If you use you name you can use the troll icon you know

  12. flashdba
    FAIL

    Ask Toolbar?

    And on top of the relentless security fixes, we have to constantly fight off the installer's attempts to install the Ask Toolbar. I don't want the bloody Ask Toolbar! Oracle, you suck...

  13. TeeCee Gold badge
    Mushroom

    Oracle?

    Keep digging, we can still see your heads.

  14. wikkity

    Only 6 users left?

    > which urged all six Java users who have not yet disabled the plugin

  15. Dave Robinson
    Facepalm

    What a load of pointless fuss

    So Java is rubbish because the browser plugin has the odd vulnerability or two (which could in fact be due to integration with the browser rather than anything fundamental to Java itself). Chrome and Firefox seem to get patched every five minutes and no one bats an eyelid. Known M$ vulnerabilities can hang around for months before they get fixed.

    Anyone would think that someone has got it in for Java. Maybe it's Oracle that is spreading all this FUD and hatred?

    Personally, I love Java and hate Oracle. I don't want the Ask toolbar, and it would be nice if the documentation didn't have lots of broken links to the Sun websites, or pointless links to top-level pages. However, I think the language is great, and is still a brilliant way to produce functional cross-platform applications (client or server) using a proper strongly-typed OO language.

  16. JaitcH
    Happy

    Thank You, Firefox

    Any Reg readers checking their Options will discover that Mozilla 'nuked' Java, with as much as a request.

    I'm thankful, as both my wife and daughter, undoubtedly like many others, haven't a clue on how to disable Java.

    What of Internet Explorer?

    1. Anonymous Coward
      Unhappy

      No thank You, Firefox

      Screw you, Firefox. Stop disabling addons without telling me first, and offering me the option of leaving them enabled.

  17. PeterM42
    FAIL

    When a software supplier....

    ...has versions numbered 10.2.5471.2.15.26 (or whatever), you just KNOW there is some inherent problem.

    I remember when having to provide support for Oracle apps, it was ESSENTIAL to get EXACTLY the right version of Oracle (which was always a PAIN to install), because there seemed to be no onwards/backwards compatibility with Oracle and, of course, no "Oracle Update" as per Windows.

    If we ever got a new Oracle application to support, we knew support costs were going to be MUCH higher than comparable non-Oracle apps.

  18. wobster

    The other side of the story

    So I guess its no big deal that most of the popular browser have had recent critical security exploits:

    http://www.theregister.co.uk/2013/03/05/google_chrome_pre_pwn2own_update/

    or that Windows is still riddled with security exploits

    http://mobile.theverge.com/2013/2/13/3983846/googlers-found-over-50-percent-of-the-bugs-in-microsofts-massive-update

    It is my opinion that Java/JavaFX kicks HTML5's butt when it comes to performance, capability and maintainability:

    http://download.oracle.com/otndocs/products/javafx/2.2/samples/Ensemble/index.html

    http://jfxtras.org/resources/java/Ensemble.jnlp

    http://goworldwind.org/demos/

    (Of course, many of you won't be able to see these demos since you have been manipulated into disabling Java.)

    The truth is that any software that is exposed to the network may have a critical security vulnerability. Every time that software is touched, another vulnerability may be exposed. (Remember how a simple buffer overrun exploit was used in the Unix "finger" program to bring down the internet in the 80s'?)

    At least Java was designed for security from the beginning and has more of a chance of being secure than most other networked applications. Java 7 was a big change from Java 6 and will have some short term hiccups. The nice thing about Java is that it is open source so the vulnerabilities will be discovered quickly as thousands of hackers, developers and security firms probe through the source code. (i.e. Java doesn't rely on security through obscurity.)

  19. ecofeco Silver badge
    Pint

    Poetic Justice

    ...and the exploiters become the exploited.

This topic is closed for new posts.

Other stories you might like